Egypt Edition 
UAE 
Saudi Edition 
MENA <> India Corridor 
Logistics (MENA) 
Climate (MENA) 
Share
Read Full Issue 
Fawry’s testing environment was hacked, the EGX-listed fintech giant said in a regulatory filingyesterday (pdf).
The background: A post on the dark web alleged that LockBit — arguably the world’s most sophisticated hacker group — had hacked Fawry’s systems. That claim went viral on Egyptian social media Thursday, 9 November, triggering a series of disclosures from Fawry.
A forensic audit of more than 2k servers, which serve Fawry’s full suite of products and services, has since found that while production servers were not breached, a portion of its testing environment was hacked and resulted in the compromise of some customers’ personal data.
Fawry is far from alone: Everyone from JP Morgan and Microsoft to Google, LinkedIn and theCIA have been the victims of cyberattacks at one point or another as criminal gangs, state-sanctioned actors, intelligence agencies, and large institutions wage a running battle for that most precious of commodities: information. It’s not “if” you’re going to be attacked, it’s “when” — and what you do to avoid that attack, to fight it off when it happens, and to pick up the pieces afterward.
We spoke with Fawry CEO Ashraf Sabry to unpack what happened and what comes next.This transcript of our conversation has been lightly edited for clarity and concision:
ENTERPRISE: Were you hacked, as LockBit claimed?
ASHRAF SABRY: Yes, we were. Our testing environment, where we test applications before launching to the end-user, was breached by the ransomware organization known as LockBit. Our live production environment — the one that our clients interact with when they use our services — was not subject to any compromise, as we disclosed on 10 November after a sweep of our systems.
E: Did the compromise on the testing environment include personal data, financial data, or both?
AS: Personal data only — but no data that would allow someone to use that information to execute financial transactions on our system. We ran a thorough investigation and have found no evidence at all that the breach exposed financial data. But yes, some personal data was compromised, and this is horrible. You never want to be in a position to have personal data on your system breached.
E: What type of personal information was breached?
AS: We believe it may include some customer’s names, their addresses, email addresses, this type of personal data.
E: How many clients were impacted?
AS: It is frankly hard to tell. When a ransomware group comes in, the first thing they do is encrypt the information — we just don’t have access to it. So a big part of the investigation is working backward to determine what was likely in that testing environment, which will help us identify the nature of the data, but will not enable us to quantify it — the only way to quantify it is to decrypt the encrypted files.
E: How at-risk are people whose personal information was compromised?
AS: By itself, the breach of personal data — while we regret it very deeply — does not put people at specific risk. For example: When you give someone your bank details on, say an invoice, can they use that information to transfer money out of your account? No. Let’s say it is a credit card, and someone has the front and back of the card. Can that execute a transaction? Typically not — you need an OTP to complete a transaction. Name, email addresses, dates of birth — those things alone are not enough to give someone access to your financial life.
E: But there is a risk.
AS: There is, yes. I’m not downplaying that. But the problem isn’t that a third party could use customer data to perform financial transactions — the risk is social engineering.
E: Can you unpack that?
AS: It’s customers getting a call from someone who has some basic information about them and tries to convince them it’s their bank calling. They try to use data like this to convince a customer that it is legitimate. The same thing happens over SMS and email. People reach out, know a bit about you, and the scam is almost invariably to get you to click a link they send to “reset your password” or an attempt to get you to give them an OTP.
We’re telling all of our customers: Nobody legitimate is ever going to call you up and ask you to give them data, to reset a password, to give them an OTP. Not us, not your bank, and not the mobile network operators.
As an industry, banks and financial services providers like us need to do more to educate users about risks, because fraud attempts in the form of social engineering happen every day. Everyone in the industry has been working on this for the past 12 months — trying to drive awareness of the risk of fraud, and the message is simple: No Egyptian institution will call you to request financial information by email, phone or sms.
The simple fact is that we all leave personal data in a multitude of places — not just with Fawry. It’s on our social media profiles. It’s on the systems of the merchants we buy from. Delivery companies know your name, address, and payment information. So does Fawry.
E: So you think the risk is contained as long as people are aware of the basics of financial fraud?
AS: Yes, but they need to be aware of social engineering attacks.
E: Hackers aren’t going to go away, whether it’s someone DDOSing a site or a ransomware group.
AS: They’re not going to disappear, and neither will the digitization of finance. There’s a global war between cyber criminals and digital institutions. Fawry and others like us need to do everything we can to prevent data breaches — and we need to teach our clients how to protect themselves. That’s an ongoing, every day process.
I like to draw an analogy between safety in financial services and safety in the airline industry. With the right systems, the right people on the airline and airport and security sides, air travel is much safer than traveling by car. More and more people every year are flying — and the accident rate is incredibly low because of good systems. That’s what we need in the digital space, and it’s happening: More and more people transact digitally every year, and the percentage of people who are being impacted by data breaches remains low.
E: What are you doing to prevent another data breach happening in the future?
AS: Our first priority on day one was to make sure that our production system was not compromised, and thankfully we found that our core banking, MyFawry, acceptance, and other systems were 100% clean. It was later, as we went deeper into the testing system, that we found we had an issue. And it took some time to do a forensic analysis, which is what we announced [yesterday].
Today, all of our more than 2k servers are on dual active monitoring by global professionals and our teams, but it’s not just about increasing investment in software and physical security — it’s about governance, too. We’ve already invested in the latest technologies including monitoring tools, firewalls, malware agents, monitoring agents…
What we’re doing now is perhaps more important. We’re working with international organizations to review our risk management policies and framework. And we’re also working with them to see what else we need to invest in. We all need to stay on our toes, because vulnerabilities are everywhere. In just the last few months, for example, vulnerabilities with Citrix and FortiNet have exposed end users to risk.
E: Let’s change gears as we wrap this up. If your earnings release for the first nine months(pdf) of the year is anything to go by, 2023 has been good to Fawry. Why have profits grown so much faster than revenues?
AS: We’ve had a clear strategy over time of driving growth by creating new lines of business and this year we’re hitting critical mass. We’ve made key investments, and as more and more clients adopt those services, the marginal cost comes down. Revenues were up 42% in the first nine months and our bottom line has almost quadrupled.
E: Will the emphasis on new products continue in 2024, or will it be about consolidation?
AS: You can expect to see us paying a lot of attention to small businesses and sole proprietorships — businesses that have no real access to the financial system, but who have needs. We think we have the infrastructure to serve them in a way and at a cost that meets their needs, whether that’s ins., payment, lending, saving, or payments. We’ll also continue to invest in new services for MyFawry, but I’m particularly excited about looking at B2B.
It’s inarguable that B2C financial services are way ahead of B2B in Egypt, and sure, B2B is more complex — it’s more than “You buy, I send” — but there is so much to be done in this segment.
